Null pointer dereference crash in Group::activate() -> Wnck::activate()
I've gotten this particular crash at least twice so far. When performing something (not sure, but the backtrace indicates I tried clicking on an app group icon), Docklike sometimes crashes. I have the following asan trace:
==107875==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x7ffff01ebaef bp 0x000002cfeb32 sp 0x7fffffffd890 T0)
==107875==The signal is caused by a READ memory access.
==107875==Hint: address points to the zero page.
#0 0x7ffff01ebaef in Wnck::activate(GroupWindow*, unsigned int) /home/nyanpasu64/.cache/paru/clone/xfce4-docklike-plugin-local/src/xfce4-docklike-plugin/src/Wnck.cpp:135
#1 0x7ffff01e5f20 in Group::activate(unsigned int) /home/nyanpasu64/.cache/paru/clone/xfce4-docklike-plugin-local/src/xfce4-docklike-plugin/src/Group.cpp:246
#2 0x7ffff01e63bb in operator() /home/nyanpasu64/.cache/paru/clone/xfce4-docklike-plugin-local/src/xfce4-docklike-plugin/src/Group.cpp:97
#3 0x7ffff01e63bb in _FUN /home/nyanpasu64/.cache/paru/clone/xfce4-docklike-plugin-local/src/xfce4-docklike-plugin/src/Group.cpp:97
#4 0x7ffff6e3df77 in _gtk_marshal_BOOLEAN__BOXED gtk/gtkmarshalers.c:84
#5 0x7ffff6954d8e in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x12d8e)
#6 0x7ffff6970717 (/usr/lib/libgobject-2.0.so.0+0x2e717)
#7 0x7ffff697140a in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x2f40a)
#8 0x7ffff697232f in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x3032f)
#9 0x7ffff70fe294 in gtk_widget_event_internal.part.0.lto_priv.0 ../gtk/gtk/gtkwidget.c:7812
#10 0x7ffff6f9ae94 in propagate_event_up ../gtk/gtk/gtkmain.c:2588
#11 0x7ffff6f9ae94 in propagate_event ../gtk/gtk/gtkmain.c:2691
#12 0x7ffff6f9bdc2 in gtk_main_do_event ../gtk/gtk/gtkmain.c:1921
#13 0x7ffff6f9bdc2 in gtk_main_do_event ../gtk/gtk/gtkmain.c:1691
#14 0x7ffff6cffd42 in _gdk_event_emit ../gtk/gdk/gdkevents.c:73
#15 0x7ffff6cffd42 in _gdk_event_emit ../gtk/gdk/gdkevents.c:67
#16 0x7ffff6d4c2d7 in gdk_event_source_dispatch.lto_priv.1 (/usr/lib/libgdk-3.so.0+0x892d7)
#17 0x7ffff68474db in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x544db)
#18 0x7ffff689b798 (/usr/lib/libglib-2.0.so.0+0xa8798)
#19 0x7ffff6846a62 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x53a62)
#20 0x7ffff6f91b4e in gtk_main ../gtk/gtk/gtkmain.c:1329
#21 0x55555555b496 in main /usr/src/debug/xfce4-panel-4.16.3/wrapper/main.c:432
#22 0x7ffff664eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#23 0x5555555597dd in _start (/usr/lib/xfce4/panel/wrapper-2.0+0x57dd)
I think the chain of events is g_signal_connect(G_OBJECT(mButton), "button-release-event", ...)
→ Group::onButtonRelease()
(inlined) → Group::activate()
. This calls GroupWindow* groupWindow = mWindows.get(mTopWindowIndex)
which returns nullptr, then calls groupWindow->activate(timestamp)
or GroupWindow::activate()
(inlined) on a null pointer (which is UB but doesn't crash). This calls Wnck::activate(this, timestamp)
or void activate(GroupWindow* groupWindow, guint32 timestamp)
, which then dereferences the null pointer GroupWindow* groupWindow
.
If my understanding is correct, then the problem is that Group::activate()
assumes that mWindows.get(mTopWindowIndex)
is non-null when it's actually null. (There's some other possible causes, like 0x1 or such being stored as a value in mWindows
, and groupWindow->mWnckWindow
being located at an offset of 0x10 on my 64-bit machine. I'm not sure exactly; I might make a debug build to find out, but can't promise it.)
Is mWindows
ever supposed to not contain mTopWindowIndex
as a key? If this is a valid state, then all calls to mWindows.get(mTopWindowIndex)
need to check for null. If not, I think adding assertions (either on a debug branch or in master) that mWindows
contains mTopWindowIndex
(verified whenever either is mutated) will help pinpoint what causes the bug to happen.